Differences

This shows you the differences between two versions of the page.

--- public:secureprogramming [2014-09-11 11:51] – [OWASP tools] petrs
+++ public:research:secprog:secureprogramming [2015-10-21 10:56] – [Vulnerable app / distro / hackme challenges] petrs
@@ Line 2: / Line 2: @@
   * 19 deadly sins of software programming (Howard), examples, list of reasonably fresh real examples: http://www.math.uaa.alaska.edu/~afkjm/cs470/handouts/SecuritySins.pdf
+  * Mozilla secure coding guidelines: https://developer.mozilla.org/en-US/docs/Secure_Development_Guidelines
 ===== Security programming courses =====
@@ Line 81: / Line 83: @@
     * Run cmd with Administrator privileges
       * peach configuration.xml
+    * Run Peach in agent mode: //peach -a tcp//
+      * ERROR: Error, could not load platform assembly 'Peach.Core.OS.Windows.dll'.  The assembly is part of the Internet Security Zone and loading has been blocked.
+      * Solution: https://forums.peachfuzzer.com/showthread.php?198-Could-not-load-platform-assembly-Peach-Core-OS-Windows-dll
+    * ERROR: Could not start monitor "WindowsDebugger".  Could not find a part of the path 'C
+:\Program Files\Debugging Tools for Windows (x86)\dbgeng.dll'.
+      * set proper path to WinDbg (e.g., c:\Program Files (x86)\Debugging Tools for Windows\) in peach pit file
+      * <Param name="WinDbgPath" value="c:\Program Files (x86)\Debugging Tools for Windows\" />
 ===== Notes =====
@@ Line 90: / Line 101: @@
     * Properties from Andrii
     * IDE integration vs. standalone / server-based tool
-  * Miro - Coverity experience
+  * Coverity experience
-  * 3 bc works
+  * 3 bc theses
+    * Use owasp tools, test against vulnerable apps, evaluate
+    * Implement personalized testing scenarios inside given framework (he Web Application Hacker's Handbook scenarios)
+      * multiple scenarios, every week demonstration of progress
+    * Vulnerability scanners - Nessus, Metasploit...
   * Metrics (owasp top 10)
@@ Line 133: / Line 148: @@
     * TRY
   * [2014] OWASP OWTF, the Offensive (Web) Testing Framework https://www.owasp.org/index.php/OWASP_OWTF
+  * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
+    * TRY
+  * [2014] OWASP ZED Attack Proxy Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
+    * TRY
+  * [2014] OSAFT https://www.owasp.org/index.php/O-Saft
+    * ssl testing and auditing tool
+    * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations
+    * try
 ==== Vulnerable app / distro / hackme challenges ====
@@ Line 149: / Line 172: @@
     * vulnerable app, challenges
     * TRY
+  * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
+    * TRY, https://github.com/Hackademic/hackademic/
+    * security teaching application, CTF
+  * [2015] Samurai Web Testing Framework http://samurai.inguardians.com/
+    * preinstalled Mutillidae,
 ==== Security-supporting library ====
@@ Line 161: / Line 189: @@
   * [2014] JSON Sanitizer Project https://www.owasp.org/index.php/OWASP_JSON_Sanitizer
     * Given JSON-like content, convert it to valid JSON. Java library
+  * [2015] Several Java web applications and command line applications covering different security topics: https://github.com/dschadow/JavaSecurity
@@ Line 169: / Line 198: @@
-  * [2013] OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
-    * TRY
-    * security teaching application, CTF
-  * [2014] XSS detection toolkit https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework
-    * TRY
-  * [2014] OWASP ZED Attack Proxy Project https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
-    * TRY
-  * [2014] OSAFT https://www.owasp.org/index.php/O-Saft
-    * ssl testing and auditing tool
-    * tool to show informations about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations
-    * try